Searches all user profiles for credentials related to Microsoft Azure.

SharpCloud.exe gcloud

Searches all user profiles for credentials related to Google Compute.

SharpCloud with Aggressor

If you use Cobalt Strike, this repo includes a sharpcloud.cna file for CS. This adds several aliases for execute_assembly with SharpCloud.exe:

dump_aws

dump_gcloud

dump_azure

The SharpCloud.exe binary needs to be in the same directory as the script.

The aliases are fairly self-explanatory. As an example, dump_aws is an alias for execute_assembly SharpCloud.exe aws. While it would be trivial to set aside the C# and write SharpCloud using shell or PowerShell commands, this was not done to keep SharpCloud’s checks and data collection as stealthy as possible. That means avoiding command line logging.

It is notable that dump_aws will add any discovered credentials to Cobalt Strike’s Credentials model. Should the alias find AWS credentials, those credentials will be saved just like credentials discovered via Mimikatz and other Cobalt Strike utilities. They will appear with the realm set to “AWS” and the access key and access secret set as the user and password. If an AWS token is present in the profile, the token will be noted in the password field. The AWS profile name will be saved in the source field.

This is only done for AWS credentials, but might be done for Azure in a future version. It’s not feasible for Google Compute because Compute uses SQLite3 databases and reading the values from them becomes much trickier. It is possible, and potentially useful, to do this for credential information found inside Compute’s legacy_credential directory.

We use cookies to ensure that we give you the best experience on our website. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on Read more information.OkRead more